packet capture on server in dmz

carl_townshend · ‎07-09-2009

Hi all

is it correct that when I do a packet capture on my webserver in the dmz, I never see the true public destinationip address, I only ever see the destination as the interface of my dmz when the traffic is going back to the web, why is this ?

johnspaulding · ‎07-09-2009

You can do a packet capture with the following commands

example

create an extended access-list matching the traffic src/dst or type of traffic.

access-list ex CAPTURE permit tcp host 10.10.10.1 host 10.10.10.2

under global config

capture CAPTURE_THIS_TRAFFIC access-list CAPTURE

than do a show capture to view the output

Hope this helps

carl_townshend · ‎07-10-2009

hi there

when traffic from outside the firewall comes into my dmz gets natted, Am I right in saying that the source address from outside does not change, for some reason when I do a packet capture on the dmz net server, i always see the source as the dmz interface and the destination the server, in which case when the traffic goes back to the destination, how does it know where to go?? I would expect the source to be kept intact, or would it get changed to the firewall interface, how does it know where to send it back to?? would this be in the state table ?

johnspaulding · ‎07-10-2009

Could you post the capture output that you doing?

But yes if the traffic is getting Nat'd from outside to DMZ the source should be the Nat'd ip address. Ip depends on the set up.